How strong is your password? Even though this post from Donncha on the WordPress.com blog might have been written for the benefit of WordPress.com users, I believe that this is highly relevant for ALL bloggers. I could not find a WordPress plugin for the password strength meter without JQuery but that would be a very useful tool to have. Remember, the weakest link in our security chain is the common stuff we tend to overlook. Please make sure your password is not easily guessable.

After having my password hacked in high school (back in 1994 …) I started using phrases at least 14 characters in length made up of names, the greek alphabet, numbers and, in some cases, punctuation marks. To keep things secure, these passwords are changed every month and never used twice.

I did several internal assessment over password strength in my company and usually at least 30-40% of the passwords are too weak (things like you name, you surname, you company ID and so on)….
Passwords ARE the weak point. I also run penetration test and the other source of weakness are the software maintenance. You cannot do a lot against unpatched vulnerability, but the lack of update is often the key to break system security….
So, a check to your password is a good point to start….

I figured the chemical formula approach, coupled with a very simple algorithm, like reverse the formula would basically be unforgettable and produce relatively complex passwords that would generally not succumb to bruteforce attacks, unless someone has a chemical dictionary to hand of course. But, then you could always pick a compound like vancomycin tack on its molecular weight to several significant figures and then apply your algo. e.g start with C66H75Cl2N9O24 add the molecular weight, 1449.2536 without the decimal point and apply your personal system, chop of the ends, reverse it, remove the numbers and put them at the front, whatever…

The degree of vulnerability of automated systems is not given by technology, but by human error. Successful crackers rely on social engineering instead of brute force; technology is simply much more powerful than people.

I believe it’s wrong to look only at the password’s complexity and say when it is secure and when not. If the user doesn’t change the password for years, it’s just as bad as an easy to guess password. If the password is written on a post-it on the screen or under the keyboard, it’s useless. If the password is “password”, the user should pack the computer and send it back to the store.

A good password is one that: is difficult to memorize (not a word, not a number, definitely not something in the dictionary), is changed periodically, is not written down in clear. For their own convenience, people make the mistake of choosing easy to remember passwords, but these are also easy to guess or easy to be remembered by others who happen to take a glimpse at the password written down in your Moleskin. Make it hard for others to accidentally learn your password; you’ll be typing it every day, and you’ll learn it in a few days, but others should not be able to reproduce it even after staring at it for 10 seconds.

Try this: 8 lowercase characters and no vowels (more difficult to learn, unable to pronounce), having symbols on alternating sides of the keyboard (so you can type them fast with both hands). Examples: t8zj2yqk, wj4nv9qh, mrj1yvp3. Yeah, they don’t make sense, and that’s the point. Type them 20-30 times over 2 or 3 days, and you’ll be surprised how easy they come back to mind.

Want to write your password somewhere in plain sight but hidden from untrained eyes? Write a block of 8 lines, 8 characters per line – also numbers and consonants. Write your password on the sixth column, from the bottom up. Don’t tell anyone what those letters and numbers are, why you carry them in your wallet, and how the block should be read.

what’s the use of strong passwords when your no using an encrypted transport (like SSL). The WP installation from WP.org should have an integrated SSL solution instead of those plugins etc. Most of them are not that easy to install. Lots of bloggers blog ‘on the road’ and are vulnerable to sniffing.

Back on the strong password topic; try using passphrases. Those are generally longer than 8 to 10 characters, and pretty easy to remember

“…the weakest link in our security chain is the common stuff we tend to overlook.”

I couldn’t agree more. It can be difficult to teach someone the importance of using a ‘strong’ password. It comes down to education, and systems such as the one WordPress.com and other sites implement to suggest using stronger passwords.

About the Author

Mark Ghosh

An avid fan of business, education, technology and finance. I lead a lean, highly focussed and capable team of Java Back End developers and Front End developers through a maze of complex software wizardry to fulfill the web maintenance needs of a large chemical manufacturer. As per Myers-Briggs Personality Types, I am an ESTJ. I pride in a project completed on time and according to plan. My hobbies include all kinds of technology, anything that I can taste and anything that goes fast or flies in the air. I like to read business books and comics in my spare time.